Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2208
Views
0
Helpful
6
Replies

LDAPS With Self Signed Cert

Darcon
Level 1
Level 1

‎01-06-2022 02:04 PM

I have been banging my head against Google trying to get Duo Auth Proxy (Ubuntu) to work with LDAPS using a self signed cert. I have confirmed that LDAPS is working using the cert I created. Ldp.exe binds LDAPS (after I import the .cer into my Windows PC), a SaaS service is able to use LDAPS, and our Meraki AD integration picked it up. I have double and triple checked my DC to make sure I have the correct cert.

Duo works fine when I comment out the LDAPS strings in the ad_client section of my config file.

The cert was created in PowerShell, and the correct hostnames are being used. I put the .PFX in the personal computer store on the Domain Controller, and exported that same .PFX in .CER Base64, then converted that to .PEM using OpenSSL.

I am using a Duo free account if that makes any difference.

2X_b_b46278f0763f0456462e3dd285305f3c4ff34efe.png

Labels:
0 Helpful
6 Replies 6

pgp
Level 1
Level 1

‎01-06-2022 03:08 PM

Since the cert is self-signed, it is its own CA, and has to be added to the “SSL CA certs file” as mentioned in your error message. (Or change the Auth Proxy’s config to point to a new file containing a copy of the cert.)

0 Helpful

Darcon
Level 1
Level 1

‎01-06-2022 03:35 PM

I am specifying the exported .PEM in the authproxy config. See below for the LDAPS parts in my config:

transport=ldaps
ssl_ca_certs_file=dc.pem exported pem in /conf
ssl_verify_hostname=true

I’ll look into the SSL CA certs file. Thanks!

0 Helpful

Darcon
Level 1
Level 1

‎01-07-2022 06:38 AM

I created a new cert using OpenSSL on Linux and got everything working. I don’t know why it didn’t like the cert I created with PowerShell, possibly because it was a 6 year cert? The new one is only 1 year.

I generated the .KEY and .CRT, then converted the .KEY to .PFX. This was all done with OpenSSL.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Darcon

‎01-10-2022 07:52 AM

Did the first self-signed cert include “Certificate Signing” in its key usage? That is an extra requirement we have (mentioned in the description of the ad_client ssl_ca_certs_file parameter) when you use a self-signed cert. I don’t think New-SelfSignedCertificate includes that key usage by default.

Duo, not DUO.
0 Helpful

Darcon
Level 1
Level 1
In response to DuoKristina

‎01-10-2022 09:18 AM

That was most likely it. I can’t find any reference to “Certificate Signing” in the New-SelfSignedCertificate cmdlet. All I worried about were the correct hostname/alternative names, then exported the .PFX and .CRT files. The Org/OU/etc fields were all left blank unlike my OpenSSL cert. I also had to create the .PFX using the .KEY and .CER files that were created with OpenSSL.

Hopefully this helps someone.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Darcon

‎01-10-2022 09:34 AM

-keyusage certsign

Specifies the key usages set in the key usage extension of the certificate. The acceptable values for this parameter are:

CertSign
CRLSign
DataEncipherment
DecipherOnly
DigitalSignature
EncipherOnly
KeyAgreement
KeyEncipherment
None (default)
NonRepudiation
Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents